From owner-freebsd-current@freebsd.org Tue Sep 26 09:01:08 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28117E03955 for ; Tue, 26 Sep 2017 09:01:08 +0000 (UTC) (envelope-from damjan.jov@gmail.com) Received: from mail-wr0-x233.google.com (mail-wr0-x233.google.com [IPv6:2a00:1450:400c:c0c::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C0AFE8110F for ; Tue, 26 Sep 2017 09:01:07 +0000 (UTC) (envelope-from damjan.jov@gmail.com) Received: by mail-wr0-x233.google.com with SMTP id k20so12226447wre.4; Tue, 26 Sep 2017 02:01:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3ugMHUzx3LieB0WfYtJlhpBKCtPF6gWiVtqlEzD6oIA=; b=jCD1X+WFKG0OkzJtZyNxuU09Q/lhf7x4dQOz7iJgYHoL03BA3NSvhqERQwRn+F87Pu 9Jw7zACW8+uyu8K5UEgYnHlI3P9aY38sd4tpusHMB63qdC4VRi9FB8c150OdespH99jt WSbYEPzmF85iD0XRJMe5pitJ/GUVkEUTX91nYxrdlaNpfY6NoHKtnX0XRbFi8SMuxkdw 3l//WLErEv1/O7GK+TTzjr/9qKkqLLGRMnGuDeQ/vEyqPMkHJqphrgPZaDvl9WDCUxgu Efm7NmvHV/wYaV903EPphE7QpzeEqFmwlbBFGh33tKhKb8rtWQluKJUjXI+RHtG4PLNK vn4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3ugMHUzx3LieB0WfYtJlhpBKCtPF6gWiVtqlEzD6oIA=; b=R+BGsi52N8JX5gnSfoe/SOIZeU+KhYNyRi//u7JG6TxSvcR5ww2jN5enWeVHIMa8Oi tyjrrlDXw9p/QtymjYm5WBJVSvCURMZt8eP5BwQoHNFKb4gOgQAqcUQNRmf60wosjhXF YjDxUQ8iitW8lKOzNWBsgPBVAKx54+ljcBXuVYHSwWHdDFSsoxAds0n+H0HzmX1iJTpX q9OzOLmj+X0zYuzn70CONfNhXb4djJoJrJv0xrlm2laiWCnDCa4TDhOhj6oO+KAslkGm 5cqGl5zcBm1ssqJXqbdf2WCob3olZGwNwmyohxl4rIjcazHnaZEaMQQrmlsMqFxSS+lJ QCCQ== X-Gm-Message-State: AHPjjUjri7X7WwwbijTAMHDKSMswmkPeLijB3ovF4iNGjfxeb3SfhHk2 NzsHtP33WMCfZ/uoTg8BDpX6bwFr0Y/pIjEp9z4= X-Google-Smtp-Source: AOwi7QBQnzEZaQx6/txXdkY80nsJKAfITHPspa7yZKPAVpVAwyK1fja/bPpYpyaL/oSQV1+H2+d/82EmtxhKGHTNCd8= X-Received: by 10.46.66.145 with SMTP id h17mr3708783ljf.140.1506416465977; Tue, 26 Sep 2017 02:01:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.46.89.13 with HTTP; Tue, 26 Sep 2017 02:00:45 -0700 (PDT) In-Reply-To: <20170926103543.0aa03c7a@freyja.zeit4.iv.bundesimmobilien.de> References: <20170926103543.0aa03c7a@freyja.zeit4.iv.bundesimmobilien.de> From: Damjan Jovanovic Date: Tue, 26 Sep 2017 11:00:45 +0200 Message-ID: Subject: Re: FreeBSD, IPFW and the SIP/VoIP NAT problem To: "O. Hartmann" Cc: freebsd-current , reebsd-ipfw@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2017 09:01:08 -0000 On Tue, Sep 26, 2017 at 10:35 AM, O. Hartmann wrote: > Hello, > > trying to build a FreeBSD based router/PBX (Asterisk 13) appliance, I ran > into > several problems. My questions might have a "noobish" character, so my > apology, > my experiences with IPFW are not as thorough as they should be. > > Before I'll got into medias res, aquestion about Pine64/AARCH64: > > - port net/asterisk13 is supposed to build only on armv6, is aarch64 about > coming soon also supported? > - would a Pine64 running CURRENT (12) be sufficient as a PBX platform > (assumed > having 2 GB of RAM)? > > My main concern is about IPFW (we do not use PF for some reasons, I have to > stay with IPFW). > > I'm a customer of two ITSPs and my SoHo network is behind NAT and not yet > IPv6. > The FreeBSD system acting as a router is supposed to have a jail soon > containing the Asterisk 13 IP PBX (at the moment running on the main > system). > To provide access to the VoIP infrastructure inside/behind the router/NAT > system, the in-kernel NAT facility of FreeBSD is forwarding the relevant > UPD/TCP ports for VoIP to its destination network, and here I have a > problem to > solve. > > While it is sumple and easy to forward 5060/udp, 5070/tcp and other ports, > it > is a mess and pain in the arse to forward a whole range, say 11000/udp - > 35000/udp, which is a range one of my providers is sending RTP on. A second > provider uses another range for RTP, starting at 5000/udp. So, the logical > consequence would be a union set up UDP range to forward, which exapnds > then > form 5000/udp to 45000/udp - which is much more a pain ... > > One of the most disturbing and well known problems is that due to the > stateful > firewall the RTP session very often is half duplex - it seems one direction > of the RTP connection doesn't make it through IPFW/NAT. As often I search > the > net, I always get informed this is a typical problem and solutions are > provided by so called ALGs - since SIP protocol's SDP indicates within the > payload of the packets on which UDP ports both ends wish to establish their > RTP session, it would be "easy" to pinhole the IPFW on exactly those ports > for > a theoretical large number of sessions, if IPFW could "divert" those > packets > to an instance inspecting SDP (or whatever is used for the RTP port > indication, I'm new to that, sorry for the terminology) and then pinholing > the > NAT/IPFW for exactly this purpose without the forwarding mess. I came along > netgraph() while searching for hints and hooks, but it seems a complete > Linux > domain, when it somes to appliances like VoIP/IP PBX. > > Either, the problem is that trivial on FreeBSD, so no further mentioning is > necessary (which would explain the vast emptyness of explanations, hints > and > so on) or FreeBSD is a complete wasteland on this subject - which I also > suspect, since pfSense and OPNsense must have come along with such problems > and I simply do not know or recognise the software used for those purposes. > > So, if someone enlightened in this matter stumbles over my question and > could > delegate me onto the right way (ports, ng_XXX netgraph ficilities to look > at, > some ipfw techniques relevant to the problem apart from the stupid simple > forwarding large ranges of ports) - I'd appreciate this and > > thanks in advance for patience and help, > > Oliver > Hi It might be easier if you just enable STUN on Asterisk, and build FreeBSD from source with my [largely neglected :( ] patch on https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219918 That way Asterisk should dynamically discover consistent external mappings for connections, making port forwarding RTP unnecessary. Damjan